Archive for April, 2012

Using global political news as a social engineering hook is a popular cybercrime tool, particularly used to lure users into their malicious schemes. We have recently found a malicious file leveraging a noteworthy incident, one that leads to systems being infected with a backdoor.

During the second of week of April, the most talked about news was North Korea’s failed attempt to launch a rocket. As expected, the bad guys are on the prowl for the next social engineering bait and the said news item was found the be the fitting choice.

The file we found was named North Korea satellite launch eclipses that of Iran.doc. The said file, detected as TROJ_ARTIEF.DOC, may arrive as an attachment to an email message. Once executed, this Trojan exploits the vulnerability in RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333) to drop the backdoor BKDR_POISON.DOC onto the system.

This particular backdoor is able to execute some interesting routines. Based on our analysis, this backdoor communicates to a command and control server on TCP Port 443. The remote user may then command the backdoor to perform several commands, including initiating screen capture, webcam and audio file grabbing. This routine enables a remote attacker to monitor users’ activities in the infected system.

This attack is reminiscent of similar cases we’ve reported in the past, wherein cybercriminals use messages with important-looking file names, which turn out to be malware that exploits particular vulnerabilities.

We saw samples of email messages disguised as notifications from popular networking sites, in particular LinkedIn, foursquare, Myspace, and Pinterest. These spam contain links that direct users to bogus pharmaceutical or fraud sites. They also use legitimate-looking email addresses to appear credible to recipients. Using famous brands like these sites are effective in luring users to the scheme as this gives credence to an otherwise obvious scam.

Fake foursquare Email Notifications

We uncovered spammed messages masked as notifications from foursquare, a popular location-based social networking site. The first sample we found pretends to be an email alert, stating that someone has left a message for the recipient. The second message is in the guise of a friend confirmation notification.

Both messages use the address noreply@foursquare.com in the ‘From’ field and bear a legitimate-looking MessageID. Similar to previous spam campaign using popular social networking sites, attackers here also disguised the malicious URLs. If users click these, the URLs direct to an empty web page containing another URL, which ultimately leads to a website selling sex-enhancement drugs.

As mentioned in our previous post, the actors behind the targeted attack campaigns we’re monitoring updated, and still are updating, the tools of their trade to further their agenda and achieve exploitation. Using a fairly new vulnerability such as CVE-2012-0158, patched barely 2 weeks ago, may allow these attackers the window of opportunity to effectively infiltrate their targets.

Moreover, the campaigns we’re seeing target sectors that span on a global scale, unlike the ones first seen and described in our previous post.

Taiwan

Just this week, the actors behind one campaign that we’ve been seeing/monitoring have started to exploit CVE-2012-0158 via an attachment with an original filename of 子女教育補助費101新版.doc. A snapshot of the malicious email sent can be seen below:

Japan

We’ve also seen this one sent to an industrial corporation in Japan, purportedly coming from another Japanese company:

We’ve been monitoring attacks against the said corporation for quite some time now and previously, the CVE of choice is CVE-2009-3129. RTF file dropped is 20120420.doc, which could pertain to the date April 20, 2012, a day after the malicious document has been sent.

Other malicious RTFs, exploiting CVE-2012-0158, that were also seen from Japan are as follows:

献金を受け取る機構及び人のリスト.doc (rough translation – A list of organization and people to receive the donation.doc)

Development_plan_canon_2012.doc

Incidentally, the dropped payload of the aforementioned RTF files, detected as TSPY_GEDDEL.EVL, was also seen as the same payload in this previous attack

Russia, Vietnam and others…

Other RTF files, also exploiting CVE-2012-0158, that we’ve seen targeted at a particular geographic audience include one that is supposedly targeted at a particular Russian audience, as the filename of the RTF file is ядерные материалы.doc whose literal translation is “nuclear materials.doc”, and a Vietnamese one with an original filename of Cập nhật tình hình 4.18.doc, meaning “Update 4:18.doc”.There were also submissions coming from India and Thailand as well – all exploiting CVE-2012-0158.

CVE-2012-0158 – Here To Stay

All in all, as captured above, as well as those seen by our friends in Contagio, we’ve seen various different targeted attacks now ramping up the usage of CVE-2012-0158 exploitation, in a span of just barely 2 weeks after the said vulnerability was patched by Microsoft. Moreover, the assumption of Contagio that there is an RTF generator being used by these campaigns is highly possible though we haven’t seen one yet. Evidently, this is now becoming a favorite method among those behind these targeted attack campaigns, and we’ll be seeing more of it.

CVE-2012-0158’s popularity among attackers may be due to the fact that Microsoft owns more than 90% of productivity software market share. This alone increases the target base for cybercriminals. In addition, not everyone owns an update-able (licensed) copy of MS software, which doubles the risk for the targets.

Trend Micro protects users

Trend Micro Smart Protection Network ensures that spammed email as well as the malicious attachments are detected and removed immediately from computers. Trend Micro Deep Security users are also protected with the following rules:

The upcoming London Olympics is undoubtedly one of the most highly-anticipated sporting events of the year. It is also a favorite social engineering ploy among cybercriminals. Just recently, we found an Olympics scam in the form of a lottery that promises a free travel package to the event. Some online crooks, however, played it differently this time. Instead of the typical Olympic-related scams wherein users supposedly won tickets to the event, this scam arrives as spam disguised as an email advisory.

As mentioned, this scam comes in the form of email messages that warn recipients of fake websites and organizations selling tickets to the London Olympics 2012. These mails contain the official logo of the event to possibly deceive users of its legitimacy. Included in the message is an attached .DOC file that lists these bogus ticket sellers. The attachment, however, is actually a malicious file detected by Trend Micro as TROJ_ARTIEF.ZIGS. The malware takes advantage of the RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333) to drop the backdoor BKDR_CYSXL.A. This backdoor may perform several malicious routines, including deleting and creating files and shutting down the infected system.

Readers who frequently visit this site surely know that this is just one of the many Olympic-related scams that we have seen in the past. As early as October 2008, spam messages were found masquerading as Olympic 2012 lottery notifications. Other sports events like the Beijing Olympics in 2008 and the FIFA World Cup were also no strangers to this type of ruse.

As the London Olympics 2012 draws near, we are expecting this type of threats to proliferate. Thus, users should make it a habit to check the legitimacy of any message before downloading the attachment or clicking the links included in it.

As the conflict in Syria persists, the Internet continues to play an interesting role. As we reported in a previous post, there have been targeted attacks against Syrian opposition supporters. With activists’ continued use of social media, it is not surprising to read reports of targeted phishing attempts to steal Facebook and YouTube credentials. A CNN report also revealed that a malware was being propagated through Skype, which brings us to another Skype-themed attack that we have uncovered.

We discovered a webpage that advertises a software that purports to provide encryption for Skype. This page is hosted in Syria on {BLOCKED}encription.sytes.net, which resolves to {BLOCKED}.{BLOCKED}.0.28 – the same server that acted as a command-and-control (C&C) server for previous attacks. The webpage features an embedded YouTubevideo that claims to be from “IT Security Lab” and to encrypt voice communications.

If users are tricked into downloading the file, a program does appear that is supposed to encrypt users’ Skype data. The said file, Skype Encription v 2.1.exe, is detected by Trend Micro as BKDR_METEO.HVN. During the analysis, we did not find any evidence that the software actually provides any security properties.

This file contains some interesting strings that suggest it was created by “SyRiAnHaCkErS”:

The downloaded file skype.exe, detected as BKDR_ZAPCHAST.HVN, is actually DarkComet version 3.3 and connects to {BLOCKED}.{BLOCKED}.0.28 on port 771. We were able to redirect the traffic in our test environment to confirm that it is indeed DarkComet.

Once BKDR_ZAPCHAST.HVN is installed, the attackers are able to take full control of the compromised system through the DarkComet RAT. The features of the DarkComet RAT have been covered here and here.

Trend Micro users need not worry as they are protected from this threat via Trend Micro™ Smart Protection Network™ that detects and deletes the related malware. We are also continuously monitoring this campaign and will update users for any significant developments.